Sanitize comment title and body

Victor Costa
1 parent a4fefc0c
Showing 1 changed file with 2 additions and 2 deletions Show diff stats
app/views/comment/_comment.html.erb
@@ -38,10 +38,10 @@
       <div class="comment-created-at">
         <%= show_time(comment.created_at) %>
       </div>
-      <h4><%= comment.title.blank? && '&nbsp;' || comment.title %></h4>
+      <h4><%= comment.title.blank? && '&nbsp;' || sanitize(comment.title) %></h4>
       <div class="comment-text">
         <p/>
-        <%= txt2html comment.body %>
+        <%= txt2html sanitize(comment.body) %>
       </div>
       <%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { |content| instance_exec(&content) }.join("") %>
     </div>
	@@ -38,10 +38,10 @@		@@ -38,10 +38,10 @@
38	<div class="comment-created-at">	38	<div class="comment-created-at">
39	<%= show_time(comment.created_at) %>	39	<%= show_time(comment.created_at) %>
40	</div>	40	</div>
41	- <h4><%= comment.title.blank? && ' ' \|\| comment.title %></h4>	41	+ <h4><%= comment.title.blank? && ' ' \|\| sanitize(comment.title) %></h4>
42	<div class="comment-text">	42	<div class="comment-text">
43	<p/>	43	<p/>
44	- <%= txt2html comment.body %>	44	+ <%= txt2html sanitize(comment.body) %>
45	</div>	45	</div>
46	<%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { \|content\| instance_exec(&content) }.join("") %>	46	<%= @plugins.dispatch(:comment_extra_contents, local_assigns).collect { \|content\| instance_exec(&content) }.join("") %>
47	</div>	47	</div>